|
|
0d5c10 |
From 2476a35d0ad4055d52c33c03bb82031f6f19c794 Mon Sep 17 00:00:00 2001
|
|
|
0d5c10 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0d5c10 |
Date: Fri, 15 Mar 2019 17:11:37 +0100
|
|
|
0d5c10 |
Subject: [PATCH 1/6] Enable privileged_commands test to run on Fedora
|
|
|
0d5c10 |
|
|
|
0d5c10 |
Also create audit rules directory, to ensure scenario setup always
|
|
|
0d5c10 |
works.
|
|
|
0d5c10 |
---
|
|
|
0d5c10 |
.../rhel7_augenrules_default.fail.sh | 2 +-
|
|
|
0d5c10 |
.../rhel7_augenrules_missing_rule.fail.sh | 3 ++-
|
|
|
0d5c10 |
.../rhel7_augenrules_one_rule.fail.sh | 1 +
|
|
|
0d5c10 |
.../rhel7_augenrules_rules_configured.pass.sh | 3 ++-
|
|
|
0d5c10 |
.../rhel7_augenrules_rules_configured_mixed_keys.pass.sh | 3 ++-
|
|
|
0d5c10 |
.../rhel7_augenrules_two_rules_mixed_keys.fail.sh | 3 ++-
|
|
|
0d5c10 |
.../rhel7_rules_with_own_key.pass.sh | 2 +-
|
|
|
0d5c10 |
.../rhel7_auditctl_4294967295_configured.pass.sh | 1 +
|
|
|
0d5c10 |
.../rhel7_auditctl_unset_configured.pass.sh | 1 +
|
|
|
0d5c10 |
.../rhel7_augenrules_4294967295_configured.pass.sh | 4 ++--
|
|
|
0d5c10 |
.../rhel7_augenrules_remove_all_rules.fail.sh | 4 ++--
|
|
|
0d5c10 |
.../rhel7_augenrules_substring_rule.fail.sh | 4 ++--
|
|
|
0d5c10 |
.../rhel7_augenrules_superstring_rule.fail.sh | 4 ++--
|
|
|
0d5c10 |
.../rhel7_augenrules_unset_configured.pass.sh | 4 ++--
|
|
|
0d5c10 |
.../rhel7_rules_with_own_key.pass.sh | 3 +--
|
|
|
0d5c10 |
15 files changed, 24 insertions(+), 18 deletions(-)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_default.fail.sh
|
|
|
0d5c10 |
index 2442fc22f8..4713a53605 100644
|
|
|
0d5c10 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_default.fail.sh
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_default.fail.sh
|
|
|
0d5c10 |
@@ -1,6 +1,6 @@
|
|
|
0d5c10 |
#!/bin/bash
|
|
|
0d5c10 |
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
0d5c10 |
# remediation = bash
|
|
|
0d5c10 |
-# platform = Red Hat Enterprise Linux 7
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7,Fedora
|
|
|
0d5c10 |
|
|
|
0d5c10 |
# augenrules is default for rhel7
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_missing_rule.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_missing_rule.fail.sh
|
|
|
0d5c10 |
index 69e659d53c..c007f5dd24 100644
|
|
|
0d5c10 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_missing_rule.fail.sh
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_missing_rule.fail.sh
|
|
|
0d5c10 |
@@ -1,7 +1,8 @@
|
|
|
0d5c10 |
#!/bin/bash
|
|
|
0d5c10 |
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
0d5c10 |
# remediation = bash
|
|
|
0d5c10 |
-# platform = Red Hat Enterprise Linux 7
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7,Fedora
|
|
|
0d5c10 |
|
|
|
0d5c10 |
+mkdir -p /etc/audit/rules.d
|
|
|
0d5c10 |
./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
sed -i '/newgrp/d' /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_one_rule.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_one_rule.fail.sh
|
|
|
0d5c10 |
index aa8e01cf11..591109a013 100644
|
|
|
0d5c10 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_one_rule.fail.sh
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_one_rule.fail.sh
|
|
|
0d5c10 |
@@ -3,4 +3,5 @@
|
|
|
0d5c10 |
# remediation = bash
|
|
|
0d5c10 |
# platform = Red Hat Enterprise Linux 7
|
|
|
0d5c10 |
|
|
|
0d5c10 |
+mkdir -p /etc/audit/rules.d
|
|
|
0d5c10 |
echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh
|
|
|
0d5c10 |
index fa1d72ff0a..913ca44025 100644
|
|
|
0d5c10 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh
|
|
|
0d5c10 |
@@ -1,6 +1,7 @@
|
|
|
0d5c10 |
#!/bin/bash
|
|
|
0d5c10 |
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
0d5c10 |
# remediation = bash
|
|
|
0d5c10 |
-# platform = Red Hat Enterprise Linux 7
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7,Fedora
|
|
|
0d5c10 |
|
|
|
0d5c10 |
+mkdir -p /etc/audit/rules.d
|
|
|
0d5c10 |
./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured_mixed_keys.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured_mixed_keys.pass.sh
|
|
|
0d5c10 |
index 40aea6c963..a0ba4fac7d 100644
|
|
|
0d5c10 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured_mixed_keys.pass.sh
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured_mixed_keys.pass.sh
|
|
|
0d5c10 |
@@ -1,8 +1,9 @@
|
|
|
0d5c10 |
#!/bin/bash
|
|
|
0d5c10 |
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
0d5c10 |
# remediation = bash
|
|
|
0d5c10 |
-# platform = Red Hat Enterprise Linux 7
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7,Fedora
|
|
|
0d5c10 |
|
|
|
0d5c10 |
+mkdir -p /etc/audit/rules.d
|
|
|
0d5c10 |
./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
# change key of rules for binaries in /usr/sbin
|
|
|
0d5c10 |
# A mixed conbination of -k and -F key= should be accepted
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_mixed_keys.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_mixed_keys.fail.sh
|
|
|
0d5c10 |
index eb2ae8cdc9..bc4a7c4bfe 100644
|
|
|
0d5c10 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_mixed_keys.fail.sh
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_mixed_keys.fail.sh
|
|
|
0d5c10 |
@@ -1,7 +1,8 @@
|
|
|
0d5c10 |
#!/bin/bash
|
|
|
0d5c10 |
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
0d5c10 |
# remediation = bash
|
|
|
0d5c10 |
-# platform = Red Hat Enterprise Linux 7
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7,Fedora
|
|
|
0d5c10 |
|
|
|
0d5c10 |
+mkdir -p /etc/audit/rules.d
|
|
|
0d5c10 |
echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
echo "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh
|
|
|
0d5c10 |
index 1b376d0e0f..c40fd133dd 100644
|
|
|
0d5c10 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh
|
|
|
0d5c10 |
@@ -1,6 +1,6 @@
|
|
|
0d5c10 |
#!/bin/bash
|
|
|
0d5c10 |
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
0d5c10 |
# remediation = bash
|
|
|
0d5c10 |
-# platform = Red Hat Enterprise Linux 7
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7,Fedora
|
|
|
0d5c10 |
|
|
|
0d5c10 |
./generate_privileged_commands_rule.sh 1000 own_key /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_4294967295_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_4294967295_configured.pass.sh
|
|
|
0d5c10 |
index 93f90a1c5b..52b28d2c30 100644
|
|
|
0d5c10 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_4294967295_configured.pass.sh
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_4294967295_configured.pass.sh
|
|
|
0d5c10 |
@@ -1,6 +1,7 @@
|
|
|
0d5c10 |
#!/bin/bash
|
|
|
0d5c10 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
0d5c10 |
# remediation = bash
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7
|
|
|
0d5c10 |
|
|
|
0d5c10 |
echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/audit.rules
|
|
|
0d5c10 |
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_unset_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_unset_configured.pass.sh
|
|
|
0d5c10 |
index bda4011950..4a8627e1be 100644
|
|
|
0d5c10 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_unset_configured.pass.sh
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_unset_configured.pass.sh
|
|
|
0d5c10 |
@@ -1,6 +1,7 @@
|
|
|
0d5c10 |
#!/bin/bash
|
|
|
0d5c10 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
0d5c10 |
# remediation = bash
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7
|
|
|
0d5c10 |
|
|
|
0d5c10 |
echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/audit.rules
|
|
|
0d5c10 |
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_4294967295_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_4294967295_configured.pass.sh
|
|
|
0d5c10 |
index c1385fe491..13054c36d4 100644
|
|
|
0d5c10 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_4294967295_configured.pass.sh
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_4294967295_configured.pass.sh
|
|
|
0d5c10 |
@@ -1,7 +1,7 @@
|
|
|
0d5c10 |
#!/bin/bash
|
|
|
0d5c10 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
0d5c10 |
# remediation = bash
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7,Fedora
|
|
|
0d5c10 |
|
|
|
0d5c10 |
+mkdir -p /etc/audit/rules.d
|
|
|
0d5c10 |
echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
-# This is a trick to fail setup of this test in rhel6 systems
|
|
|
0d5c10 |
-ls /usr/lib/systemd/system/auditd.service
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_remove_all_rules.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_remove_all_rules.fail.sh
|
|
|
0d5c10 |
index 7ef3deb40b..8a05910a39 100644
|
|
|
0d5c10 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_remove_all_rules.fail.sh
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_remove_all_rules.fail.sh
|
|
|
0d5c10 |
@@ -1,8 +1,8 @@
|
|
|
0d5c10 |
#!/bin/bash
|
|
|
0d5c10 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
0d5c10 |
# remediation = bash
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7,Fedora
|
|
|
0d5c10 |
|
|
|
0d5c10 |
+mkdir -p /etc/audit/rules.d
|
|
|
0d5c10 |
rm -f /etc/audit/rules.d/*
|
|
|
0d5c10 |
> /etc/audit/audit.rules
|
|
|
0d5c10 |
-# This is a trick to fail setup of this test in rhel6 systems
|
|
|
0d5c10 |
-ls /usr/lib/systemd/system/auditd.service
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_substring_rule.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_substring_rule.fail.sh
|
|
|
0d5c10 |
index 54df301ec7..8cc460e965 100644
|
|
|
0d5c10 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_substring_rule.fail.sh
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_substring_rule.fail.sh
|
|
|
0d5c10 |
@@ -1,7 +1,7 @@
|
|
|
0d5c10 |
#!/bin/bash
|
|
|
0d5c10 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
0d5c10 |
# remediation = bash
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7,Fedora
|
|
|
0d5c10 |
|
|
|
0d5c10 |
+mkdir -p /etc/audit/rules.d
|
|
|
0d5c10 |
echo "-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
-# This is a trick to fail setup of this test in rhel6 systems
|
|
|
0d5c10 |
-ls /usr/lib/systemd/system/auditd.service
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_superstring_rule.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_superstring_rule.fail.sh
|
|
|
0d5c10 |
index 5de32da121..0c72b90456 100644
|
|
|
0d5c10 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_superstring_rule.fail.sh
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_superstring_rule.fail.sh
|
|
|
0d5c10 |
@@ -1,7 +1,7 @@
|
|
|
0d5c10 |
#!/bin/bash
|
|
|
0d5c10 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
0d5c10 |
# remediation = bash
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7,Fedora
|
|
|
0d5c10 |
|
|
|
0d5c10 |
+mkdir -p /etc/audit/rules.d
|
|
|
0d5c10 |
echo "-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
-# This is a trick to fail setup of this test in rhel6 systems
|
|
|
0d5c10 |
-ls /usr/lib/systemd/system/auditd.service
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_unset_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_unset_configured.pass.sh
|
|
|
0d5c10 |
index 4aa01afad9..0cf6de31a3 100644
|
|
|
0d5c10 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_unset_configured.pass.sh
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_unset_configured.pass.sh
|
|
|
0d5c10 |
@@ -1,7 +1,7 @@
|
|
|
0d5c10 |
#!/bin/bash
|
|
|
0d5c10 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
0d5c10 |
# remediation = bash
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7,Fedora
|
|
|
0d5c10 |
|
|
|
0d5c10 |
+mkdir -p /etc/audit/rules.d
|
|
|
0d5c10 |
echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
-# This is a trick to fail setup of this test in rhel6 systems
|
|
|
0d5c10 |
-ls /usr/lib/systemd/system/auditd.service
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_rules_with_own_key.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_rules_with_own_key.pass.sh
|
|
|
0d5c10 |
index e267050ae1..a264144bd2 100644
|
|
|
0d5c10 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_rules_with_own_key.pass.sh
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_rules_with_own_key.pass.sh
|
|
|
0d5c10 |
@@ -1,7 +1,6 @@
|
|
|
0d5c10 |
#!/bin/bash
|
|
|
0d5c10 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
0d5c10 |
# remediation = bash
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7,Fedora
|
|
|
0d5c10 |
|
|
|
0d5c10 |
echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key" >> /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
-# This is a trick to fail setup of this test in rhel6 systems
|
|
|
0d5c10 |
-ls /usr/lib/systemd/system/auditd.service
|
|
|
0d5c10 |
|
|
|
0d5c10 |
From 6ac52cb2183484685c2632cecdfc5724767b1f79 Mon Sep 17 00:00:00 2001
|
|
|
0d5c10 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0d5c10 |
Date: Fri, 15 Mar 2019 16:01:37 +0100
|
|
|
0d5c10 |
Subject: [PATCH 2/6] Add test for duplicated audit rules
|
|
|
0d5c10 |
|
|
|
0d5c10 |
The rules don't need to be exactly the same to be considered duplicates.
|
|
|
0d5c10 |
- auid unset and auid 4294967295 are equivalent
|
|
|
0d5c10 |
- "-k" and "-F key=" are equivalent
|
|
|
0d5c10 |
---
|
|
|
0d5c10 |
.../rhel7_augenrules_duplicated.fail.sh | 11 +++++++++++
|
|
|
0d5c10 |
.../rhel7_augenrules_duplicated.fail.sh | 8 ++++++++
|
|
|
0d5c10 |
2 files changed, 19 insertions(+)
|
|
|
0d5c10 |
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_duplicated.fail.sh
|
|
|
0d5c10 |
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_duplicated.fail.sh
|
|
|
0d5c10 |
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_duplicated.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_duplicated.fail.sh
|
|
|
0d5c10 |
new file mode 100644
|
|
|
0d5c10 |
index 0000000000..19b12d0906
|
|
|
0d5c10 |
--- /dev/null
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_duplicated.fail.sh
|
|
|
0d5c10 |
@@ -0,0 +1,11 @@
|
|
|
0d5c10 |
+#!/bin/bash
|
|
|
0d5c10 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp,xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
0d5c10 |
+# Remediation for this rule cannot remove the duplicates
|
|
|
0d5c10 |
+# remediation = none
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7,Fedora
|
|
|
0d5c10 |
+
|
|
|
0d5c10 |
+mkdir -p /etc/audit/rules.d
|
|
|
0d5c10 |
+./generate_privileged_commands_rule.sh 1000 privileged /tmp/privileged.rules
|
|
|
0d5c10 |
+
|
|
|
0d5c10 |
+cp /tmp/privileged.rules /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
+sed 's/unset/4294967295/' /tmp/privileged.rules >> /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_duplicated.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_duplicated.fail.sh
|
|
|
0d5c10 |
new file mode 100644
|
|
|
0d5c10 |
index 0000000000..c3a0e1dbb3
|
|
|
0d5c10 |
--- /dev/null
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_duplicated.fail.sh
|
|
|
0d5c10 |
@@ -0,0 +1,8 @@
|
|
|
0d5c10 |
+#!/bin/bash
|
|
|
0d5c10 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
0d5c10 |
+# remediation = bash
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7,Fedora
|
|
|
0d5c10 |
+
|
|
|
0d5c10 |
+mkdir -p /etc/audit/rules.d
|
|
|
0d5c10 |
+echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
+echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
|
|
|
0d5c10 |
From 160ddfa6b662dfc129f308ba239e87339e4adbf6 Mon Sep 17 00:00:00 2001
|
|
|
0d5c10 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0d5c10 |
Date: Fri, 15 Mar 2019 16:00:24 +0100
|
|
|
0d5c10 |
Subject: [PATCH 3/6] Fail check when there is more than one audit rule for a
|
|
|
0d5c10 |
given path
|
|
|
0d5c10 |
|
|
|
0d5c10 |
Duplicated rules cause loading of audit rules to fail.
|
|
|
0d5c10 |
- There should exist only one match
|
|
|
0d5c10 |
- Examine all instances (objects found)
|
|
|
0d5c10 |
- Do not capture key of rule (we don't use it)
|
|
|
0d5c10 |
---
|
|
|
0d5c10 |
.../template_OVAL_audit_rules_privileged_commands | 12 ++++++------
|
|
|
0d5c10 |
1 file changed, 6 insertions(+), 6 deletions(-)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
diff --git a/shared/templates/template_OVAL_audit_rules_privileged_commands b/shared/templates/template_OVAL_audit_rules_privileged_commands
|
|
|
0d5c10 |
index 602f29de5d..b738cdfa54 100644
|
|
|
0d5c10 |
--- a/shared/templates/template_OVAL_audit_rules_privileged_commands
|
|
|
0d5c10 |
+++ b/shared/templates/template_OVAL_audit_rules_privileged_commands
|
|
|
0d5c10 |
@@ -28,22 +28,22 @@
|
|
|
0d5c10 |
</criteria>
|
|
|
0d5c10 |
</definition>
|
|
|
0d5c10 |
|
|
|
0d5c10 |
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="audit augenrules {{{ NAME }}}" id="test_{{{ ID }}}_augenrules" version="1">
|
|
|
0d5c10 |
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules {{{ NAME }}}" id="test_{{{ ID }}}_augenrules" version="1">
|
|
|
0d5c10 |
<ind:object object_ref="object_{{{ ID }}}_augenrules" />
|
|
|
0d5c10 |
</ind:textfilecontent54_test>
|
|
|
0d5c10 |
<ind:textfilecontent54_object id="object_{{{ ID }}}_augenrules" version="1">
|
|
|
0d5c10 |
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
|
|
|
0d5c10 |
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
0d5c10 |
- <ind:instance datatype="int">1</ind:instance>
|
|
|
0d5c10 |
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
0d5c10 |
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
|
0d5c10 |
</ind:textfilecontent54_object>
|
|
|
0d5c10 |
|
|
|
0d5c10 |
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="audit auditctl {{{ NAME }}}" id="test_{{{ ID }}}_auditctl" version="1">
|
|
|
0d5c10 |
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl {{{ NAME }}}" id="test_{{{ ID }}}_auditctl" version="1">
|
|
|
0d5c10 |
<ind:object object_ref="object_{{{ ID }}}_auditctl" />
|
|
|
0d5c10 |
</ind:textfilecontent54_test>
|
|
|
0d5c10 |
<ind:textfilecontent54_object id="object_{{{ ID }}}_auditctl" version="1">
|
|
|
0d5c10 |
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
|
|
|
0d5c10 |
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
0d5c10 |
- <ind:instance datatype="int">1</ind:instance>
|
|
|
0d5c10 |
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
0d5c10 |
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
|
0d5c10 |
</ind:textfilecontent54_object>
|
|
|
0d5c10 |
|
|
|
0d5c10 |
</def-group>
|
|
|
0d5c10 |
|
|
|
0d5c10 |
From 08a30fe02fc60c63a2057382ce5cd9de9d0fd877 Mon Sep 17 00:00:00 2001
|
|
|
0d5c10 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0d5c10 |
Date: Fri, 15 Mar 2019 15:56:42 +0100
|
|
|
0d5c10 |
Subject: [PATCH 4/6] Reset ARCH
|
|
|
0d5c10 |
|
|
|
0d5c10 |
The variable should be reset so that we don't use a value set
|
|
|
0d5c10 |
by some previous remediation.
|
|
|
0d5c10 |
---
|
|
|
0d5c10 |
shared/templates/template_BASH_audit_rules_privileged_commands | 2 ++
|
|
|
0d5c10 |
1 file changed, 2 insertions(+)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
diff --git a/shared/templates/template_BASH_audit_rules_privileged_commands b/shared/templates/template_BASH_audit_rules_privileged_commands
|
|
|
0d5c10 |
index 90807084e8..612f8a0826 100644
|
|
|
0d5c10 |
--- a/shared/templates/template_BASH_audit_rules_privileged_commands
|
|
|
0d5c10 |
+++ b/shared/templates/template_BASH_audit_rules_privileged_commands
|
|
|
0d5c10 |
@@ -5,6 +5,8 @@
|
|
|
0d5c10 |
|
|
|
0d5c10 |
PATTERN="-a always,exit -F path={{{ PATH }}}\\s\\+.*"
|
|
|
0d5c10 |
GROUP="privileged"
|
|
|
0d5c10 |
+# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
|
|
|
0d5c10 |
+ARCH=""
|
|
|
0d5c10 |
FULL_RULE="-a always,exit -F path={{{ PATH }}} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged"
|
|
|
0d5c10 |
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
|
|
|
0d5c10 |
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
|
|
|
0d5c10 |
|
|
|
0d5c10 |
From 8e83eb070f6cc7931e8c1005cd8eb7674e1bf186 Mon Sep 17 00:00:00 2001
|
|
|
0d5c10 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0d5c10 |
Date: Fri, 15 Mar 2019 16:31:20 +0100
|
|
|
0d5c10 |
Subject: [PATCH 5/6] Test if remediation can handle rules in separate files
|
|
|
0d5c10 |
|
|
|
0d5c10 |
---
|
|
|
0d5c10 |
.../rhel7_augenrules_two_rules_sep_files.fail.sh | 8 ++++++++
|
|
|
0d5c10 |
1 file changed, 8 insertions(+)
|
|
|
0d5c10 |
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_sep_files.fail.sh
|
|
|
0d5c10 |
|
|
|
0d5c10 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_sep_files.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_sep_files.fail.sh
|
|
|
0d5c10 |
new file mode 100644
|
|
|
0d5c10 |
index 0000000000..0e70910537
|
|
|
0d5c10 |
--- /dev/null
|
|
|
0d5c10 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_sep_files.fail.sh
|
|
|
0d5c10 |
@@ -0,0 +1,8 @@
|
|
|
0d5c10 |
+#!/bin/bash
|
|
|
0d5c10 |
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
0d5c10 |
+# remediation = bash
|
|
|
0d5c10 |
+# platform = Red Hat Enterprise Linux 7,Fedora
|
|
|
0d5c10 |
+
|
|
|
0d5c10 |
+mkdir -p /etc/audit/rules.d
|
|
|
0d5c10 |
+echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/priv.rules
|
|
|
0d5c10 |
+echo "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
|
|
|
0d5c10 |
|
|
|
0d5c10 |
From d706bdbebb8e2ffbd4872ea7870ac5f1e2f6a00e Mon Sep 17 00:00:00 2001
|
|
|
0d5c10 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0d5c10 |
Date: Fri, 15 Mar 2019 15:56:11 +0100
|
|
|
0d5c10 |
Subject: [PATCH 6/6] Do not add rule if it was handled in another file
|
|
|
0d5c10 |
|
|
|
0d5c10 |
---
|
|
|
0d5c10 |
..._audit_rules_privileged_commands_remediation.sh | 14 ++++++++++----
|
|
|
0d5c10 |
1 file changed, 10 insertions(+), 4 deletions(-)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
|
|
|
0d5c10 |
index d824e5debb..91eeedb545 100644
|
|
|
0d5c10 |
--- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
|
|
|
0d5c10 |
+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
|
|
|
0d5c10 |
@@ -71,7 +71,7 @@ declare -a sbinaries_to_skip=()
|
|
|
0d5c10 |
for sbinary in "${privileged_binaries[@]}"
|
|
|
0d5c10 |
do
|
|
|
0d5c10 |
|
|
|
0d5c10 |
- # Check if this sbinary wasn't already handled in some of the previous iterations
|
|
|
0d5c10 |
+ # Check if this sbinary wasn't already handled in some of the previous sbinary iterations
|
|
|
0d5c10 |
# Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
|
|
|
0d5c10 |
if [[ $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]]
|
|
|
0d5c10 |
then
|
|
|
0d5c10 |
@@ -169,9 +169,15 @@ do
|
|
|
0d5c10 |
elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" && $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]]
|
|
|
0d5c10 |
then
|
|
|
0d5c10 |
|
|
|
0d5c10 |
- # Current audit rules file's content doesn't contain expected rule for this
|
|
|
0d5c10 |
- # SUID/SGID binary yet => append it
|
|
|
0d5c10 |
- echo "$expected_rule" >> "$output_audit_file"
|
|
|
0d5c10 |
+ # Check if this sbinary wasn't already handled in some of the previous afile iterations
|
|
|
0d5c10 |
+ # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
|
|
|
0d5c10 |
+ if [[ ! $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]]
|
|
|
0d5c10 |
+ then
|
|
|
0d5c10 |
+ # Current audit rules file's content doesn't contain expected rule for this
|
|
|
0d5c10 |
+ # SUID/SGID binary yet => append it
|
|
|
0d5c10 |
+ echo "$expected_rule" >> "$output_audit_file"
|
|
|
0d5c10 |
+ fi
|
|
|
0d5c10 |
+
|
|
|
0d5c10 |
continue
|
|
|
0d5c10 |
fi
|
|
|
0d5c10 |
|